
Congressional 
Research Service 

Informing the legislative debate since 1914 



Legislation to Facilitate Cybersecurity 
Information Sharing: Economic Analysis 



N. Eric Weiss 

Specialist in Financial Economics 
June 3 , 2015 



Congressional Research Service 

7-5700 

www.crs.gov 

R43821 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis 



Summary 

Data breaches, such as those at Target, Home Depot, Neiman Marcus, JPMorgan Chase, and 
Anthem, have affected financial records of tens of millions of households and seem to occur 
regularly. Companies typically respond by trying to increase their cybersecurity, hiring 
consultants, and purchasing new hardware and software. Policy analysts have suggested that 
sharing information about these breaches could be an effective and inexpensive part of improving 
cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, 
nonprofit organizations, such as Information Sharing and Analysis Centers (ISACs) that can 
analyze and disseminate information. 

Firms sometimes do not share information because of perceived legal risks, such as violating 
privacy or antitrust laws, and economic incentives, such as giving information that will benefit 
their competitors. A firm that has been attacked might prefer to keep such information private out 
of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to 
reward firms for sharing information. Their competitors can take advantage of the information, 
but not contribute in turn. This lack of reciprocity, called “free riding” by economists, may 
discourage firms from sharing. Information that is shared may not be applicable to those 
receiving it, or it might be difficult to apply. 

Because firms are reluctant to share information, other firms suffer from vulnerabilities that could 
be corrected. Further, by not sharing information about effective cybersecurity products and 
techniques, the size and quality of the market for cybersecurity products suffer. 

Some industry leaders call for mandatory sharing of information concerning attacks. Other 
experts advocate a strictly voluntary approach, because they believe it could impose fewer 
regulatory costs on businesses and cost less for taxpayers. 

A number of bills designed to encourage cybersecurity information sharing have been introduced 
in the 114 th Congress, including H.R. 1560, Protecting Cyber Networks Act; H.R. 1731, National 
Cybersecurity Protection Advancement Act of 2015; and S. 754, Cybersecurity Information 
Sharing Act of 2015 (C1SA). In April 2015, the House passed both H.R. 1560 and H.R. 1731, and 
it combined them into H.R. 1560 with the original H.R. 1560 as Title 1 and H.R. 1731 as Title II. 
On March 17, 2015, the Senate Select Committee on Intelligence reported out S. 754. 



Congressional Research Service 



Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis 



Contents 

Introduction 1 

A Cybersecurity Problem: Misaligned Incentives 2 

The Problem of Underused Information 2 

Perceived Legal Barriers to Information Sharing 4 

Economic Incentives to Not Share Information 5 

Analysis of Firms’ Incentives to Share 6 

New Threats 6 

Developing and Sharing Countermeasures 6 

So Why Do Some Firms Share Information? 7 

Role of Consultants and Insurance Companies in Information Sharing 7 

How Can Organizations Share Information? 7 

Categories of Information 7 

Methods of Information Sharing 7 

Public and Private Sector Information Sharing 8 

ISACs 8 

Mandatory, Voluntary, and Incentivized Sharing 1 1 

Consequences of Inadequate Information Sharing 11 

Direct Effects on Security 1 1 

Indirect Security Effects through the Market for Cybersecurity Products 12 

Effects of Greater Information Sharing 12 

Selected Legislation in the 1 14 th Congress to Encourage Information Sharing 13 

H.R. 1560: Protecting Cyber Networks Act (Title I) and National Cybersecurity 

Protection Advancement Act (Title II, formerly H.R. 1731) 13 

S. 754: Cybersecurity Information Sharing Act of 2015 14 

Analysis 15 

Conclusion: How Might Incentives Change? 15 

Figures 

Figure 1. Financial Services ISAC Membership Tiers 10 

Figure 2.Financial Services ISAC Membership Tiers (Continued) 10 

Contacts 

Author Contact Information 16 

Acknowledgments 16 



Congressional Research Service 



Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis 



Introduction 

Cybercrime continues to increase. The media reports data breaches exposing tens of millions of 
personal financial records at retailers, such as Target, Home Depot, and TJ Maxx. The Ponemon 
Institute, an independent research institute, estimates that in 2013 the number of attacks on 59 
companies based in the United States increased over that of 2012 and the average cost per attack 
also increased. 1 The Ponemon study found the average cost of a cybercrime incident in FY2014 
was $12.7 million compared with $11.6 million in FY2013. 

The Center for Strategic and International Studies estimates that cybercrime costs the global 
economy about $445 billion in a typical year. 2 The risks to critical infrastructure and national 
security from cyberattacks are harder to quantify, but the Bipartisan Policy Center recently 
concluded that the United States has a “September 10 th ability to guard against cyberattacks.” 3 
President Obama and some Members of Congress have identified increasing cybersecurity as a 
priority. 4 

It would seem that companies could increase their cybersecurity at relatively little cost by sharing 
information about cyberattacks. The costs of a data breach can include detection, containment, 
repair, incident response, investigation, fraud losses, and lost sales. The cost of sharing 
information, including joining a specialized sharing organization, is likely to be less than 
$100,000. 5 

One obstacle to reducing cybercrime is misaligned incentives, which reduce information sharing 
about cyberattacks. In the aftermath of a cyberattack, at least four groups could be notified: law 
enforcement, other companies, customers, and (for public companies) stockholders. In addition, 
certain regulated companies, such as banks and electrical utilities, could be required to notify 
their regulators of cyberattacks. 

If companies notify law enforcement — typically either the Federal Bureau of Investigation (FBI) 
or the Secret Service — they do so in the hope that those responsible will be brought to justice and 
that some sort of recovery can be made. They notify other companies in the hope that greater 
information sharing will improve security. Customers are notified so that they can monitor their 
financial information to prevent financial fraud. The Securities and Exchange Commission (SEC) 



1 Ponemon Institute, 2014 Cost of Cyber Crime Study: United States, October 2014, https://ssl.www8.hp.com/ww/en/ 
secure/pdf/4aa5-5208enw.pdf. The Ponemon report looks at the average cost of cybercrime per incident for 59 
companies, not the total cost in the United States. 

2 McAfee and the Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime, 
June 2014, http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. 

3 Bipartisan Policy Center, Reflections on the Tenth Anniversary of the 9/11 Commission Report, Washington, DC, July 
2014, p. 7, http://bipartisanpolicy.org/sites/default/files/files/%20BPC%209-l l%20Commission.pdf. The reference to 
September 10 th is a comparison to the relative lack of airplane security that existed prior to the September 11, 2001 
attacks on the World Trade Centers and the Pentagon. 

4 See, for example, U.S. Senate Committee on Homeland Security and Governmental Affairs, “Senator Carper 
Introduces Bill to Increase Sharing of Cyber Threat Data,” press release, February 1 1, 2015, 

http://www.hsgac.senate.gov/media/minority-media/senator-carper-introduces-bill-to-increase-sharing-of-cyber-threat- 

data. 

5 Financial Services ISAC, Membership Benefits, https://www.fsisac.com/join. 



Congressional Research Service 



1 



Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis 



requires publicly traded companies to announce information that could affect investors’ decisions 
to invest in a company. 

This report analyzes information sharing by government with private companies, by private 
companies with the government, and among private companies. Sharing information with 
consumers is mentioned but is not the central focus of this report. 



A Cybersecurity Problem: Misaligned Incentives 

Understanding the economic incentives involved in cybersecurity and information sharing can 
improve the analysis of cybersecurity. 

Companies that suffer a cybersecurity breach such as the theft of credit card information do not 
pay the full cost of the breach. Retailers honoring stolen credit cards have charges reversed (so- 
called chargebacks) and end up without merchandise or payment. Credit card issuers say that they 
are not fully compensated for replacing stolen cards. 6 Consumers must monitor their financial 
accounts and update automated bill payment accounts to guard against cyberattacks. 7 

Meanwhile, software companies frequently weigh the benefits of delays to improve security 
against the costs of late releases. 8 According to some industry observers, software developers can 
be under pressure to “ship early, ship often” and fix security and other bugs in a later iteration. 9 
Similarly, companies may act in ways that they believe will preserve or increase their market 
share or profitability even at the expense of cybersecurity. 



The Problem of Underused Information 

Many in the cybersecurity field have suggested increasing cybersecurity information sharing 
between individuals, companies, nongovernmental organizations, and governments as a way to 
increase security. 

Many kinds of information can be shared to improve cybersecurity. This can include sharing ways 
to detect specific attacks and more general information about hardware, software, and procedures. 
It can include specific and general information about recovering from a data breach. The cost of 
sharing is relatively small, but the benefits can be large. Michael Daniel, the White House 
cybersecurity coordinator, described information sharing as “critical to effective cybersecurity,” 
and legislation was introduced in 1 12 th and 1 13 th Congresses to promote information sharing. 10 



6 Nicholas Ballasy, “Home Depot Breach Costs CUs $60 M,” Credit Union Tunes, October 30, 2014, 
http://www.cutimes.com/2014/10/30/home-depot-breach-costs-cus-60m. 

7 Tyler Moore and Ross Anderson, Economics and Internet Security: a Survey of Recent Analytical, Empirical, and 
Behavioral Research, Computer Science Group, Harvard University, 201 1, p. 1, 
ftp://ftp.deas.harvard.edu/techreports/tr-03-l 1 .pdf. 

s Ross Anderson, “Why Information Security Is Hard — An Economic Perspective,” 17 th Annual Computer Security 
Applications Conference, December 10, 2001, http://www.cl.cam.ac.uk/~rjal4/Papers/econ.pdf. 

9 Andrew Leonard, “Triumph of the Free-Software Will,” Salon, October 31, 2000, http://www.salon.com/2000/10/31/ 
software_passion/. 

Iu For details, see CRS Report R421 14, Federal Laws Relating to Cyber security: Overview of Major Issues, Current 
(continued...) 



Congressional Research Service 



2 



